On May 1, 2024, the Dutch data protection authority (AP) published guidelines for data scraping by private individuals and organizations.

What is data scraping under the guidelines?

The guidelines clarify that data scraping is the automated collection and recording of information from web pages, and may include:

• collecting information to train algorithms;
• collecting questions and complaints from (potential) customers of an organization via online channels such as social media and review websites; and
• monitoring online messages about an organization, so that the organization can respond to them for reputation management, sales, or marketing.

Notably, the guidelines detail that data scraping may be offered as a service to third parties, but that organizations can also use data scrapers themselves.

The guidelines differentiate data scraping from a search engine, providing that data scraping collects and records searched information in a database and then processes the data for a specific purpose. Further, the guidelines note that although there is a difference between data scraping and web crawling, the guidelines apply to both methods of data collection.

What legislation applies to data scraping?

The guidelines stipulate that when scraping personal data, organizations must be compliant with the General Data Protection Regulation (GDPR), and require a legal basis under Article 6 of the GDPR, for the same.

The guidelines recognize exceptions to the scope of the GDPR. For example, data scraping to train an algorithm that allows users outside the EU to generate images or computer code does not fall under the GDPR, if the controller is established outside the EU and does not offer goods or services within the EU.

Nonetheless, the guidelines detail that data scraping almost always scrapes personal data, and that organizations should be compliant with the principles of processing personal data under Article 5(1) of the GDPR. Specifically, organizations must comply with the principles of legality, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

What restrictions apply to data scraping of sensitive data?

The guidelines note that organizations processing sensitive personal data must still meet the GDPR requirements for processing sensitive personal data, regardless of whether or not there is a purpose for processing such data.

In such cases, the guidelines specify that organizations that process sensitive personal data must do so under one of the exceptions provided under the GDPR, such as the explicit consent of the data subject, or apparent disclosure of the data by the data subject. Regarding data made public by the data subject, the guidelines provide that information shared by someone other than the data subject does not fall under such exception. Likewise, for information published by the data subject themselves, the intention to make it public must be explicitly evident from the data subject's conduct.

You can read the press release here and the guidelines here, both only available in Dutch.